CN113743512A - Autonomous learning judgment method and system for safety alarm event - Google Patents

Autonomous learning judgment method and system for safety alarm event Download PDF

Info

Publication number
CN113743512A
CN113743512A CN202111047170.1A CN202111047170A CN113743512A CN 113743512 A CN113743512 A CN 113743512A CN 202111047170 A CN202111047170 A CN 202111047170A CN 113743512 A CN113743512 A CN 113743512A
Authority
CN
China
Prior art keywords
value
function
alarm
judgment
score
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111047170.1A
Other languages
Chinese (zh)
Inventor
孙宇
胡绍勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information and Data Security Solutions Co Ltd
Original Assignee
Information and Data Security Solutions Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information and Data Security Solutions Co Ltd filed Critical Information and Data Security Solutions Co Ltd
Priority to CN202111047170.1A priority Critical patent/CN113743512A/en
Publication of CN113743512A publication Critical patent/CN113743512A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Computation (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Medical Informatics (AREA)
  • Mathematical Physics (AREA)
  • Alarm Systems (AREA)

Abstract

一种安全告警事件自主学习判定方法及系统,属于数据处理技术领域,解决在海量告警数据的情况下,如何通过自主学习判断某一告警数据是否为安全漏洞的问题;通过构造安全事件判断模型、对安全事件判断模型进行训练、计算结果的误差修正以及输入当前告警数据进行判断;对历史告警数据的学习,掌握其特征,对新的数据进行自动研断,无需人工面对海量原始数据,减少人工失误,大大提升效率。

Figure 202111047170

A method and system for self-learning and judging of security alarm events, belonging to the technical field of data processing, and solving the problem of how to judge whether a certain alarm data is a security vulnerability through self-learning in the case of massive alarm data; Train the security event judgment model, correct the error of the calculation results, and input the current alarm data for judgment; learn the historical alarm data, master its characteristics, and automatically determine the new data, without the need to manually face the massive original data, reduce Human error greatly improves efficiency.

Figure 202111047170

Description

Autonomous learning judgment method and system for safety alarm event
Technical Field
The invention belongs to the technical field of data processing, and relates to a safety alarm event autonomous learning judgment method and system.
Background
As shown in fig. 4, the existing process of converting alarm data into a security event is entirely determined and processed by manual work, and security monitoring personnel need to manually review the data to determine which data are potential system safety hazards and vulnerabilities. The alarm data has the characteristics of large data volume, multiple dimensions, strong real-time performance and the like, and common alarm data generally comprises 10-20 attributes, such as: category, level, description IP, protocol, port, etc. raw data. A human auditor needs to review these attributes and make decisions as specified. Assuming that an auditor can judge that one piece of alarm data is finished in 1 minute, one auditor can only audit 8 × 60-480 alarms in 8 hours of working time. If 48000 pieces of data are processed a day, 100 auditors are required, and if 480 ten thousand pieces of data, 1 ten thousand auditors are required, which is obviously impractical. The efficiency of manual review cannot meet the increasing data volume and the enterprise requirement with higher and higher real-time requirements, and the defects of error, overlooking, low efficiency and the like exist in manual judgment.
In order to solve the difficulty of manual review, a machine needs to be introduced to automatically process. And setting the judged rule into a system, matching the rule in a rule base after receiving the alarm data, and performing corresponding processing if the rule can be matched. However, the conventional rule processing has a limitation, and the rule is usually not changed after being set, and if the rule has an error, the error is accumulated continuously. Meanwhile, when data which is not covered by the rule is encountered, the judgment is missed. In the prior art, a chinese patent application "an intelligent alarm method for network security incident" with publication number CN110457906A and publication date of 2019, 11, month and 15 discloses a hyper-parameter optimization step: carrying out hyper-parameter optimization on the model parameter theta of the long and short term memory network model according with the quantile regression based on the network safety historical data to obtain the optimal model parameter training and curing step of the long and short term memory network model according with the quantile regression: off-line training and solidifying the long-short term memory network model which follows quantile regression based on the optimized model parameters of the long-short term memory network model which follows quantile regression; and intelligent alarm interval calculation: calculating an intelligent alarm interval of network security through a long-short term memory network model according to quantile regression based on online data of network security; interval comparison: and comparing the network security online data with the intelligent alarm interval, and giving an alarm if the network security online data exceeds the intelligent alarm interval. However, the document does not solve the problem that the intelligent judging algorithm of machine learning fails to judge when encountering data not covered by the rule.
Disclosure of Invention
The invention aims to design a safety alarm event autonomous learning judgment method and a safety alarm event autonomous learning judgment system, so as to solve the problem of judging whether certain alarm data is a safety hole or not through autonomous learning under the condition of massive alarm data.
The invention solves the technical problems through the following technical scheme:
a safety alarm event autonomous learning judgment method comprises the following steps:
s1, constructing a safety event judgment model, wherein the safety event judgment model comprises: a scoring function and a judging function;
s2, training the safety event judgment model: initializing each weight value of a score function, reading a historical data sample set, converting the historical data sample set into a matrix form, inputting each alarm data in the matrix into the score function to obtain a corresponding score value, and substituting the score value of each alarm data into a judgment function to obtain a calculation result;
s3, error correction of calculation result: subtracting the corresponding calculation result from the real result of the alarm data to obtain a result error value, judging the result error value, adjusting each weight value of the score function according to the judgment result and finishing the training of the safety event judgment model;
s4, inputting current alarm data for judgment: and substituting the current alarm data into the trained score function to obtain the score of the current alarm data, substituting the score into the judgment function to obtain a calculation result, and judging whether the current alarm data is a security vulnerability or not according to the calculation result.
According to the technical scheme, the safety event judgment model is constructed, the characteristics of historical alarm data are learned, the error correction of a calculation result is carried out, the current alarm data is input for judgment, new data are automatically broken, the manual work is not needed to face massive original data, manual errors are reduced, and the efficiency is greatly improved.
As a technical solution of the present inventionIn a further improvement, the scoring function described in step S1 is y-w0+w1x1+…+wnxnThe judgment function is h (y) sigmoid (y); wherein x is1…xnRespectively represent the 1 st … nth dependent variable, w corresponding to the alarm data1…wnAre each x1…xnThe weight value of (1); w is a0Is a fixed value used to adjust the output value.
As a further improvement of the technical solution of the present invention, the historical data sample set in step S2 includes: attribute values and judgment results, wherein the attribute values comprise alarm types, alarm levels, asset numbers, application layer protocols and alarm ports.
As a further improvement of the technical solution of the present invention, in step S3, the result error value is judged by using a square loss function or a logarithmic loss function.
As a further improvement of the technical solution of the present invention, the step S3 of adjusting each weight value of the score function according to the evaluation result and completing the training of the security event judgment model includes:
step S31, when the result error value is positive, the weight values of the score function are adjusted down, and when the result error value is negative, the weight values of the integral function are adjusted up;
step S32, obtaining new score values of each alarm data according to the adjusted score function;
and repeating the steps S31 and S32, and finishing the training of the safety event judgment model when the new score value is optimal.
A security alarm event autonomous learning decision system, comprising: the system comprises a model building module, a model training module, an error correction module and a judgment module;
the model building module is used for constructing a safety event judgment model, and the safety event judgment model comprises: a scoring function and a judging function;
the model training module is used for training the safety event judgment model: initializing each weight value of a score function, reading a historical data sample set, converting the historical data sample set into a matrix form, inputting each alarm data in the matrix into the score function to obtain a corresponding score value, and substituting the score value of each alarm data into a judgment function to obtain a calculation result;
the error correction module is used for correcting the error of the calculation result: subtracting the corresponding calculation result from the real result of the alarm data to obtain a result error value, judging the result error value, adjusting each weight value of the score function according to the judgment result and finishing the training of the safety event judgment model;
the judging module is used for inputting current alarm data for judgment: and substituting the current alarm data into the trained score function to obtain a score value of the current alarm data, and substituting the score value into a judgment function to obtain a calculation result so as to judge whether the current alarm data is a security vulnerability.
As a further improvement of the technical solution of the present invention, the score function in the model building module is y ═ w0+w1x1+…+wnxnThe judgment function is h (y) sigmoid (y); wherein x is1…xnRespectively represent the 1 st … nth dependent variable, w corresponding to the alarm data1…wnAre each x1…xnThe weight value of (1); w is a0Is a fixed value used to adjust the output value.
As a further improvement of the technical scheme of the invention, the historical data sample set in the model training module comprises: attribute values and judgment results, wherein the attribute values comprise alarm types, alarm levels, asset numbers, application layer protocols and alarm ports.
As a further improvement of the technical scheme of the invention, the error correction module adopts a square loss function or a logarithmic loss function to judge the result error value.
As a further improvement of the technical solution of the present invention, the error correction module includes:
the weight value adjusting submodule is used for reducing each weight value of the scoring function when the result error value is positive and increasing each weight value of the integral function when the result error value is negative;
the calculating submodule is used for obtaining a new score value of each alarm data according to the adjusted score function;
and the determining submodule is used for finishing the training of the safety event judgment model when the new score value is optimal.
The invention has the advantages that:
according to the technical scheme, the safety event judgment model is constructed, the characteristics of historical alarm data are learned, the error correction of a calculation result is carried out, the current alarm data is input for judgment, new data are automatically broken, the manual work is not needed to face massive original data, manual errors are reduced, and the efficiency is greatly improved.
Drawings
FIG. 1 is a flow chart of a method for autonomous learning and determining a security alarm event according to an embodiment of the present invention;
FIG. 2 is a diagram of mapping alarm data to points on a plane according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of various types of dots divided by a straight line in accordance with an embodiment of the present invention;
FIG. 4 is a schematic diagram illustrating a conventional manual determination of a security alarm event;
fig. 5 is a schematic diagram of the safety warning event autonomous learning determination principle of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As described in the background art, the problem of missed judgment exists when an alarm is processed currently, but the problem in this respect can be effectively solved by the intelligent studying and judging algorithm based on machine learning, which is specifically shown in fig. 5: in the application, a plurality of 'rules' (actually parameters in an algorithm) are summarized from a large amount of historical data to initialize the system. When the system runs, the algorithm is further optimized through the continuously accumulated data, the robustness is increased, and the missing judgment is reduced.
The technical scheme of the invention is further described by combining the drawings and the specific embodiments in the specification:
example one
As shown in fig. 1, an autonomous learning and determining method for a security alarm event includes the following steps:
1. constructing a security event judgment model, wherein the security event judgment model comprises the following steps: a scoring function and a judging function; the scoring function is that y is w0+w1x1+…+wnxnThe judgment function is h (y) sigmoid (y); wherein x is1…xnRespectively represent the 1 st … nth dependent variable, w corresponding to the alarm data1…wnAre each x1…xnThe weight value of (1); w is a0Is a fixed value used to adjust the output value.
2. Training a safety event judgment model: initializing each weight value of a score function to 1, reading a historical data sample set, converting the historical data sample set into a matrix form, inputting each alarm data in the matrix into the score function to obtain a corresponding score value, and substituting the score value of each alarm data into a judgment function to obtain a calculation result; the historical data sample set comprises: attribute values and a judgment result, wherein the attribute values are respectively as follows: alarm type, alarm level, number of assets, application layer protocol, alarm port.
3. Error correction of the calculation results: subtracting the calculation result from the real data result to obtain a result error value, judging the error value, and correspondingly reducing or increasing each weight value of the score function according to the judgment result; the error value is judged by adopting a square loss function.
4. Inputting current alarm data for judgment: and substituting the current alarm data into the trained score function to obtain a score value of the current alarm data, and substituting the score value into a judgment function to obtain a calculation result so as to judge whether the current alarm data is a security vulnerability. The method for judging whether the current alarm data is a security vulnerability comprises the following steps: when the calculation result is between 0 and 0.5, judging that the security vulnerability exists; and judging that the security is a security hole when the calculation result is between 0.5 and 1.
As shown in fig. 2, to determine whether a certain alarm data is a security event, the arguments can have only 0 and 1, and 0 and 1 respectively indicate whether the alarm data is a security event. Dependent variables are many, such as: alarm type, alarm level, risk value, number of associated assets, associated units, etc. A safety event judgment function needs to be designed, dependent variables are input randomly, and 0 or 1 results are output.
Mapping all data into one point on a plane respectively, and representing different types of points by different shapes (for example, squares and triangles in the figure represent two different types of points); the points are then distributed over different areas with a partitionable space between them, which is a curve. Although the curve can perfectly divide the interval, the curve is more complicated in mathematical expression and is not suitable for engineering application. Due to the particularity of the service data of the embodiment of the invention: either a "0" or a "1".
As shown in fig. 3, the different types of dots may be divided into intervals by a straight line. The equation for this line can be expressed as: y ═ w0+w1x1+…+wnxnWherein x is1…xnRespectively represent the 1 st … nth dependent variable, w corresponding to the alarm data1…wnAre each x1…xnThe weight value of (1); w is a0Is a fixed value used to adjust the output value.
The respective weight values then need to be calibrated by the real alarm data. The specific process is as follows:
setting boundary value, inputting the alarm data into safety event judging function to calculate, comparing the result with the value at boundary, if it is greater than the boundary value, it is judged that it belongs to class 1, and if it is less than the boundary value, it is judged that it belongs to class 2. The intelligent classification function is realized. For example: given a sample set, each sample set has five dimensional values: alarm type, alarm level, number of assets, application layer protocol, alarm port, and a result value. If the value of each dimension is non-number, the value is mapped into number through the mapping rule, so that mathematical calculation is convenient. The mapping rules for different dimension values are different, as shown in the following table:
dimension (d) of True value Mapping values
Application layer protocol http 1
Application layer protocol tcp 2
Application layer protocol udp 3
Alarm port 80 1
Alarm port 22 2
Alarm systemPort(s) 3306 3
The mapping table is extended continuously according to the service situation. The sample calculations are two in number, represented by 0 and 1, and the data is shown below:
Figure BDA0003250054780000061
the task of machine learning is to find a function that predicts the probability of a 1 result given the values of two dimensions of a datum. The model for this function is as follows: h, (y) sigmoid (y), y ═ w0+w1x1+…+wnxn
sigmoid is an S-curve function, also called a logistic function. Any parameter coming in will return a result between 0 and 1. It is particularly suitable for use in a scenario where such a determination is yes or no. Such as: the value of the function between 0 and 0.5 is considered as "no" and between 0.5 and 1 is considered as "yes". Here we pass in what is the "score" of each alarm. The y function is used to describe the score for each alarm data. x denotes an individual attribute of an alarm data and w denotes a weight or coefficient of the attribute. Finally, the coefficient is added to all the attributes of the alarm to calculate a value. Is the score value of the alarm.
The problem now translates into finding the optimal values of the parameters w (w0, w1, …, wn) based on existing sample data. Now we give some initial values of w and then take the data of sample 1 and sample 2 into account to see how the prediction of this function works, assuming that the predicted value of sample 1 is p1 ═ 0.8 and the predicted value of sample 2 is: p2 is 0.4.
The error of the function on sample 1 is E1 ═ 0.2 (1-0.8), on sample 2 is E2 ═ 0.4 (0-0.4) — 0.4, and the total error E is-0.20 (E1+ E2). As shown in the following table:
Figure BDA0003250054780000062
Figure BDA0003250054780000071
knowing the error of the algorithm, we need to improve the algorithm to minimize the error. There are many methods for judging the error value, such as: a square loss function, a logarithmic loss function. The square loss function is a least square method, and the principle of the square loss function is a central limit law, and the difference value of the predicted value and the actual value of each test datum is squared and then accumulated.
For sample 1: our predicted values are smaller than the theoretical values, so we want to increase the value of the function output. I.e. increase the value of w1 x 1. Since x1 is negative, we must reduce the value of w1 to achieve the goal. For sample 2: our predicted values are larger than the theoretical values, so we want to reduce the function output. I.e. decrease the value of w1 x 1. Since x1 is negative, the value of w1 must be increased in order to reach the target. With the same algorithm, for sample 1, the increasing coefficient enables the algorithm to be more accurate; for sample 2, the lower coefficient would be more accurate. At this time, we need to make a trade-off. Such as: after the adjustment up, the error of sample 1 is greatly reduced, and the error of sample 2 is slightly increased, then the adjustment up can be performed. How much to increase can be expressed by a variable alpha, and the trial is performed by very small adjustment once and again. When the final accuracy is highest, the attempt is terminated.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1.一种安全告警事件自主学习判定方法,其特征在于,包括以下步骤:1. A method for self-learning and judging of safety alarm events, characterized in that, comprising the following steps: S1、构造安全事件判断模型,所述的安全事件判断模型包括:得分函数和判断函数;S1, construct a security event judgment model, and the security event judgment model includes: a score function and a judgment function; S2、对安全事件判断模型进行训练:将得分函数的各个权重值进行初始化,读取历史数据样本集,将历史数据样本集转化为矩阵形式,将矩阵中的每个告警数据输入到得分函数求出对应的得分值,将每个告警数据的得分值代入判断函数得到计算结果;S2. Train the security event judgment model: initialize each weight value of the score function, read the historical data sample set, convert the historical data sample set into a matrix form, and input each alarm data in the matrix into the score function to calculate The corresponding score value is obtained, and the score value of each alarm data is substituted into the judgment function to obtain the calculation result; S3、计算结果的误差修正:用告警数据的真实结果减去对应的计算结果得到结果误差值,并对结果误差值进行评判,根据评判结果调整得分函数的各个权重值并完成安全事件判断模型的训练;S3. Error correction of the calculation result: subtract the corresponding calculation result from the real result of the alarm data to obtain the error value of the result, judge the error value of the result, adjust each weight value of the score function according to the judgment result, and complete the security event judgment model. train; S4、输入当前告警数据进行判断:将当前告警数据代入训练好的得分函数中,从而得到当前告警数据的得分值,将得分值代入判断函数得到计算结果,根据计算结果判断当前告警数据是否为安全漏洞。S4. Input the current alarm data for judgment: Substitute the current alarm data into the trained score function to obtain the score value of the current alarm data, substitute the score value into the judgment function to obtain the calculation result, and judge whether the current alarm data is based on the calculation result. for security breaches. 2.根据权利要求1所述的一种安全告警事件自主学习判定方法,其特征在于,步骤S1中所述的得分函数为y=w0+w1x1+…+wnxn,所述的判断函数为h(y)=sigmoid(y);其中,x1…xn分别表示告警数据对应的第1个…第n个因变量,w1…wn分别是x1…xn的权重值;w0是固定值,用来调整输出值。2 . The method for self-learning and judging of security alarm events according to claim 1 , wherein the score function described in step S1 is y=w 0 +w 1 x 1 +…+w n x n , so The above judgment function is h(y)=sigmoid(y); in which, x 1 ... x n respectively represent the 1st ... nth dependent variable corresponding to the alarm data, and w 1 ... w n are respectively x 1 ... x n The weight value of ; w 0 is a fixed value used to adjust the output value. 3.根据权利要求1所述的一种安全告警事件自主学习判定方法,其特征在于,步骤S2中所述的历史数据样本集包括:属性值及判断结果,所述的属性值包括告警类型、告警等级、资产数量、应用层协议、告警端口。3. The method for self-learning and judging of security alarm events according to claim 1, wherein the historical data sample set described in step S2 includes: attribute values and judgment results, and the attribute values include alarm type, Alarm level, asset quantity, application layer protocol, alarm port. 4.根据权利要求1所述的一种安全告警事件自主学习判定方法,其特征在于,步骤S3中采用平方损失函数或对数损失函数对结果误差值进行评判。4 . The method for self-learning and judging of safety alarm events according to claim 1 , wherein in step S3 , a square loss function or a logarithmic loss function is used to judge the result error value. 5 . 5.根据权利要求1所述的一种安全告警事件自主学习判定方法,其特征在于,步骤S3中根据评判结果调整得分函数的各个权重值并完成安全事件判断模型的训练包括:5. The method for self-learning and judging of a security alarm event according to claim 1, wherein in step S3, adjusting each weight value of the score function according to the judgment result and completing the training of the security event judgment model comprises: 步骤S31,当结果误差值为正时,调低得分函数的各个权重值,当结果误差值为负时,调高积分函数的各个权重值;Step S31, when the result error value is positive, lower each weight value of the score function, and when the result error value is negative, increase each weight value of the integral function; 步骤S32,根据调整后的得分函数获得各告警数据的新得分值;Step S32, obtaining a new score value of each alarm data according to the adjusted score function; 重复步骤S31和S32,当新得分值最优时,完成安全事件判断模型的训练。Steps S31 and S32 are repeated, and when the new score value is optimal, the training of the security event judgment model is completed. 6.一种安全告警事件自主学习判定系统,其特征在于,包括:模型构建模块、模型训练模块、误差修正模块、判断模块;6. An autonomous learning and judging system for security alarm events, comprising: a model building module, a model training module, an error correction module, and a judgment module; 所述的模型构建模块用于构造安全事件判断模型,所述的安全事件判断模型包括:得分函数和判断函数;The model building module is used to construct a security event judgment model, and the security event judgment model includes: a score function and a judgment function; 所述的模型训练模块用于对安全事件判断模型进行训练:将得分函数的各个权重值进行初始化,读取历史数据样本集,将历史数据样本集转化为矩阵形式,将矩阵中的每个告警数据输入到得分函数求出对应的得分值,将每个告警数据的得分值代入判断函数得到计算结果;The model training module is used to train the security event judgment model: initialize each weight value of the score function, read the historical data sample set, convert the historical data sample set into a matrix form, and convert each alarm in the matrix The data is input into the score function to obtain the corresponding score value, and the score value of each alarm data is substituted into the judgment function to obtain the calculation result; 所述的误差修正模块用于计算结果的误差修正:用告警数据的真实结果减去对应的计算结果得到结果误差值,并对结果误差值进行评判,根据评判结果调整得分函数的各个权重值并完成安全事件判断模型的训练;The error correction module is used for the error correction of the calculation result: subtracting the corresponding calculation result from the real result of the alarm data to obtain the result error value, and judging the result error value, adjusting each weight value of the score function according to the judgment result, and Complete the training of the security event judgment model; 所述的判断模块用于输入当前告警数据进行判断:将当前告警数据代入训练好的得分函数中,从而得到当前告警数据的得分值,然后将得分值代入判断函数得到计算结果,从而判断当前告警数据是否为安全漏洞。The judging module is used for inputting the current alarm data for judgment: substituting the current alarm data into the trained score function to obtain the score value of the current alarm data, and then substituting the score value into the judgment function to obtain the calculation result, thereby judging Whether the current alarm data is a security vulnerability. 7.根据权利要求6所述的一种安全告警事件自主学习判定系统,其特征在于,模型构建模块中所述的得分函数为y=w0+w1x1+…+wnxn,所述的判断函数为h(y)=sigmoid(y);其中,x1…xn分别表示告警数据对应的第1个…第n个因变量,w1…wn分别是x1…xn的权重值;w0是固定值,用来调整输出值。7 . The self-learning and judging system for security alarm events according to claim 6 , wherein the score function described in the model building module is y=w 0 +w 1 x 1 +…+w n x n , The judgment function is h(y)=sigmoid(y); wherein, x 1 ... x n respectively represent the 1st ... nth dependent variable corresponding to the alarm data, and w 1 ... w n are respectively x 1 ... x The weight value of n ; w 0 is a fixed value used to adjust the output value. 8.根据权利要求6所述的一种安全告警事件自主学习判定系统,其特征在于,模型训练模块中所述的历史数据样本集包括:属性值及判断结果,所述的属性值包括告警类型、告警等级、资产数量、应用层协议、告警端口。8 . The self-learning and judging system for security alarm events according to claim 6 , wherein the historical data sample set in the model training module includes: attribute values and judgment results, and the attribute values include alarm types. 9 . , alarm level, asset quantity, application layer protocol, alarm port. 9.根据权利要求6所述的一种安全告警事件自主学习判定系统,其特征在于,误差修正模块中采用平方损失函数或对数损失函数对结果误差值进行评判。9 . The system according to claim 6 , wherein the error correction module adopts a square loss function or a logarithmic loss function to judge the result error value. 10 . 10.根据权利要求6所述的一种安全告警事件自主学习判定系统,其特征在于,所述误差修正模块包括:10. The self-learning and judging system for security alarm events according to claim 6, wherein the error correction module comprises: 权重值调整子模块,用于当结果误差值为正时,调低得分函数的各个权重值,当结果误差值为负时,调高积分函数的各个权重值;The weight value adjustment sub-module is used to adjust each weight value of the score function when the result error value is positive, and increase each weight value of the integral function when the result error value is negative; 计算子模块,用于根据调整后的得分函数获得各告警数据的新得分值;a calculation sub-module for obtaining a new score value of each alarm data according to the adjusted score function; 确定子模块,用于当新得分值最优时,完成安全事件判断模型的训练。The determination sub-module is used to complete the training of the security event judgment model when the new score value is optimal.
CN202111047170.1A 2021-09-07 2021-09-07 Autonomous learning judgment method and system for safety alarm event Pending CN113743512A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111047170.1A CN113743512A (en) 2021-09-07 2021-09-07 Autonomous learning judgment method and system for safety alarm event

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111047170.1A CN113743512A (en) 2021-09-07 2021-09-07 Autonomous learning judgment method and system for safety alarm event

Publications (1)

Publication Number Publication Date
CN113743512A true CN113743512A (en) 2021-12-03

Family

ID=78736782

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111047170.1A Pending CN113743512A (en) 2021-09-07 2021-09-07 Autonomous learning judgment method and system for safety alarm event

Country Status (1)

Country Link
CN (1) CN113743512A (en)

Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016029570A1 (en) * 2014-08-28 2016-03-03 北京科东电力控制系统有限责任公司 Intelligent alert analysis method for power grid scheduling
CN107040551A (en) * 2017-06-12 2017-08-11 北京匡恩网络科技有限责任公司 A kind of industry control network safe early warning method and system
CN110213287A (en) * 2019-06-12 2019-09-06 北京理工大学 A kind of double mode invasion detecting device based on ensemble machine learning algorithm
CN110263172A (en) * 2019-06-26 2019-09-20 国网江苏省电力有限公司南京供电分公司 A kind of evented autonomous classification method of power system monitor warning information
CN110334756A (en) * 2019-06-26 2019-10-15 国网江苏省电力有限公司 Method, terminal device, device and medium for identifying alarm events in power grid monitoring
CN110912737A (en) * 2019-11-14 2020-03-24 国网浙江省电力有限公司信息通信分公司 A Dynamic Perception Performance Early Warning Method Based on Mixed Model
CN110956628A (en) * 2019-12-13 2020-04-03 广州达安临床检验中心有限公司 Picture grade classification method and device, computer equipment and storage medium
CN110995475A (en) * 2019-11-20 2020-04-10 国网湖北省电力有限公司信息通信公司 Power communication network fault detection method based on transfer learning
CN111274395A (en) * 2020-01-19 2020-06-12 河海大学 Recognition method of power grid monitoring alarm events based on convolution and long short-term memory network
CN111475804A (en) * 2020-03-05 2020-07-31 浙江省北大信息技术高等研究院 Alarm prediction method and system
CN111539493A (en) * 2020-07-08 2020-08-14 北京必示科技有限公司 Alarm prediction method and device, electronic equipment and storage medium
US20200327029A1 (en) * 2019-02-15 2020-10-15 Aveva Software, Llc Process mapping and monitoring using artificial intelligence
CN111797135A (en) * 2020-06-24 2020-10-20 上海交通大学 Structured data processing method based on entity embedding
CN112153002A (en) * 2020-08-24 2020-12-29 杭州安恒信息技术股份有限公司 Alarm information analysis method, device, computer equipment and storage medium
CN112862211A (en) * 2021-03-09 2021-05-28 国网冀北电力有限公司信息通信分公司 Method and device for assigning orders of dynamic ring defects of communication management system
CN113157994A (en) * 2021-03-02 2021-07-23 昆山九华电子设备厂 Multi-source heterogeneous platform data processing method
US20210237645A1 (en) * 2020-01-30 2021-08-05 International Business Machines Corporation Modulating attention of responsible parties to predicted dangers of self-driving cars
CN113259379A (en) * 2021-06-15 2021-08-13 中国航空油料集团有限公司 Abnormal alarm identification method, device, server and storage medium based on incremental learning

Patent Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016029570A1 (en) * 2014-08-28 2016-03-03 北京科东电力控制系统有限责任公司 Intelligent alert analysis method for power grid scheduling
CN107040551A (en) * 2017-06-12 2017-08-11 北京匡恩网络科技有限责任公司 A kind of industry control network safe early warning method and system
US20200327029A1 (en) * 2019-02-15 2020-10-15 Aveva Software, Llc Process mapping and monitoring using artificial intelligence
CN110213287A (en) * 2019-06-12 2019-09-06 北京理工大学 A kind of double mode invasion detecting device based on ensemble machine learning algorithm
CN110263172A (en) * 2019-06-26 2019-09-20 国网江苏省电力有限公司南京供电分公司 A kind of evented autonomous classification method of power system monitor warning information
CN110334756A (en) * 2019-06-26 2019-10-15 国网江苏省电力有限公司 Method, terminal device, device and medium for identifying alarm events in power grid monitoring
CN110912737A (en) * 2019-11-14 2020-03-24 国网浙江省电力有限公司信息通信分公司 A Dynamic Perception Performance Early Warning Method Based on Mixed Model
CN110995475A (en) * 2019-11-20 2020-04-10 国网湖北省电力有限公司信息通信公司 Power communication network fault detection method based on transfer learning
CN110956628A (en) * 2019-12-13 2020-04-03 广州达安临床检验中心有限公司 Picture grade classification method and device, computer equipment and storage medium
CN111274395A (en) * 2020-01-19 2020-06-12 河海大学 Recognition method of power grid monitoring alarm events based on convolution and long short-term memory network
US20210237645A1 (en) * 2020-01-30 2021-08-05 International Business Machines Corporation Modulating attention of responsible parties to predicted dangers of self-driving cars
CN111475804A (en) * 2020-03-05 2020-07-31 浙江省北大信息技术高等研究院 Alarm prediction method and system
CN111797135A (en) * 2020-06-24 2020-10-20 上海交通大学 Structured data processing method based on entity embedding
CN111539493A (en) * 2020-07-08 2020-08-14 北京必示科技有限公司 Alarm prediction method and device, electronic equipment and storage medium
CN112153002A (en) * 2020-08-24 2020-12-29 杭州安恒信息技术股份有限公司 Alarm information analysis method, device, computer equipment and storage medium
CN113157994A (en) * 2021-03-02 2021-07-23 昆山九华电子设备厂 Multi-source heterogeneous platform data processing method
CN112862211A (en) * 2021-03-09 2021-05-28 国网冀北电力有限公司信息通信分公司 Method and device for assigning orders of dynamic ring defects of communication management system
CN113259379A (en) * 2021-06-15 2021-08-13 中国航空油料集团有限公司 Abnormal alarm identification method, device, server and storage medium based on incremental learning

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
TRASPER1: "浅谈线性多分类分类器(全连接层、SVM、Softmax classifier等)", pages 1, Retrieved from the Internet <URL:《https://blog.csdn.net/Trasper1/article/details/82216305》> *
WEI LIANG等: "A Security Situation Prediction Algorithm Based on HMM in Mobile Network", 《WIRELESS COMMUNICATIONS AND MOBILE COMPUTING》, vol. 2018, pages 1 - 12 *
郝科伟: "基于机器学习方法的网络入侵检测技术研究", 《中国优秀硕士学位论文全文数据库:信息科技辑》, no. 2019, pages 139 - 249 *

Similar Documents

Publication Publication Date Title
CN106874581B (en) Building air conditioner energy consumption prediction method based on BP neural network model
CN106339536B (en) Comprehensive Evaluation of Water Quality based on water pollution index&#39;s method and cloud model
CN116091455A (en) Steel mesh surface defect judging method based on machine vision
CN112215446A (en) A unit dynamic fire risk assessment method based on neural network
WO2024093468A1 (en) Risk evaluation method and system for windage yaw flashover, device, and readable storage medium
CN105678395B (en) Neural network establishing method and system and neural network application method and system
CN116668083A (en) A method and system for detecting network traffic anomalies
CN112836771A (en) Classification method, device, electronic device and storage medium of business service point
CN115545294A (en) ISSA-HKELM-based short-term load prediction method
CN113988189A (en) A fault diagnosis method for migration across wind turbines
CN110298741A (en) A kind of Financial Fraud risk recognition system
CN112330435A (en) Credit risk prediction method and system for optimizing Elman neural network based on genetic algorithm
CN113743512A (en) Autonomous learning judgment method and system for safety alarm event
CN111414927A (en) Method for evaluating seawater quality
CN110456356B (en) Data assimilation-oriented weather radar radial speed quality control method
CN113763710B (en) Short-term traffic flow prediction method based on nonlinear adaptive system
CN117495322A (en) Human resource compensation prediction method and system adopting double Adabooging
CN110991841B (en) Analysis method for nonstandard behaviors in bidding process based on AI technology
CN108614547B (en) Industrial control protocol security assessment method based on reduction factor
CN112365120B (en) Intelligent business strategy generation method based on three decisions
CN116151409A (en) Urban daily water demand prediction method based on neural network
CN109493065A (en) A kind of fraudulent trading detection method of Behavior-based control incremental update
CN115293609A (en) Method and system for constructing personnel safety responsibility and job making evaluation index weight system
CN109962915B (en) BQP network-based anomaly detection method
CN114154415A (en) Equipment life prediction method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20211203

RJ01 Rejection of invention patent application after publication